Solved

Problem with security certificate

Posted on 2014-10-26
25
388 Views
Last Modified: 2014-11-02
This is my environment:

Running Windows 7 with Firefox 33.0
Running two Ubuntu Linux servers
I am using a tool to manage the Linux servers called "Webmin"

Webmin is a tool running on Linux that is accessed via a web browser. This Linux server listens on a SSL socket at port 10000

Out of nowhere, I get an error message when connecting the browser to either of the Linux Webmin servers. The process goes like this:

In the browser URL I enter this: https://192.168.1.94:10000
The connections is refused with this message: Error code: sec_error_invalid_key

The servers are in the same room. I'm "clueless" how and why a certificate process is needed.

However, on another Windows 7 system also in the same room, the connection is completed error free.
Also, on this failing windows system, it matters not if Internet Explorer or Firefox tries to make the connection as both fail with a certificate error.

It is apparent to me that there is something in this Windows 7 gone wrong to  not allow two different browser brands to connect to two separate servers, whereas another physical windows box has no problem making these connections.

I have researched this in  blogs. The suggestion is to allow the exception by going into Firefox options->Advanced tab->Certificates->View->Server-> Add Exception. Then enter: https://192.168.1.94:10000. I tried that, but get a message that nothing found.

Because this SSL connection is refused, and not browser specific, what and where on this particular Windows 7 system do I need to look to make this function again. Out of desperation, I uninstalled/reinstalled Firefox browser, of course no help.
0
Comment
Question by:RayRider
  • 12
  • 11
  • 2
25 Comments
 
LVL 18

Expert Comment

by:Peter Hutchison
ID: 40405214
Security certificates always use names and not IP addresses, so you should never use an IP address when connecting to a secure web site. Try https://mywebsite.mycompany.com:10000.
0
 
LVL 82

Expert Comment

by:Dave Baldwin
ID: 40405221
Webmin only runs with 'https' and a self-signed certificate.  Here's what I get when I try to login to Webmin.
Webmin Certificate MessageIf you're not getting that on the other computer, it's because you already accepted the security exception.
0
 
LVL 82

Expert Comment

by:Dave Baldwin
ID: 40405225
Also, since I upgraded Webmin recently, it may have generated a new certificate which would require accepting the security exception again.
0
 
LVL 82

Expert Comment

by:Dave Baldwin
ID: 40405231
I just logged in with IE and Chrome and they are just as unwilling as Firefox because of the self-signed certificate.
0
 

Author Comment

by:RayRider
ID: 40405238
I'm not given the opportunity of excepting any security exception. I am away at the moment.

In the past, I have seen offers to accept. Not now! The working PC shows the server certificate as http://192.168.1.94:10000. This is not seen on the defective system.
0
 
LVL 82

Expert Comment

by:Dave Baldwin
ID: 40405251
As mentioned above by @Peter Hutchison, the certificate requires a name as shown above in my pic.  I don't know how you got it to work with an IP address since it's not supposed to.  Also you are showing 'http' rather than 'https' which is required with Webmin on my systems.  It won't let me login with an IP address or plain 'http'.

You should be getting the certificate error the first time you try to connect because it is a self-signed certificate.  That is the way it should work.
0
 

Author Comment

by:RayRider
ID: 40405291
I am using https.a typo!
0
 

Author Comment

by:RayRider
ID: 40405340
Back at it and have a little more information.

The working PC will connect to the Webmin host at: 192.168.1.94:10000. Therefore, I wanted to know what is in It's Firefox security certificates. I took a look at Firefox options->Advanced tab->Certificates->View->Server and see an entry at the very top of the list as:

CERTIFICATE NAME = Not Stored; SERVER = 192.168.1.94; LIFETIME = Permanent

So, I tried connecting to the other server at 192.168.1.96. I get the page show by Dave Baldwin in the above post saying:

This connection is untrusted. I clicked on: "I choose the risks". Then the page that asks to store the exception. Now, when I go back to view the certificates in Firefox, the second server is now there.

The faulty Windows machine is faulty in how it responds without a certificate. It does NOT ASK ME to "choose the risks". It just "blows away" with an invalid certificate.

So, my question still is how do I configure Windows 7 to show the "untrusted site page"?

I did a regedit scan, looking for 192.168.1.94:10000 and came up with nothing. I am guessing that these certificates are not stored in the Registry. Does anyone know how these are handled?
0
 

Author Comment

by:RayRider
ID: 40405380
A bit more research has lead me to find a windows tool called "certmgr.msc". Also Microsoft Technet is telling me that the certificates are indeed stored in the registry.

So, going to the working PC, I browse the output of "certmgr.msc" and the registry locations for the certificates. Still, I DO NOT FIND any certificates for my 192.168.1.94 and .96 webmin server. I do see them in Firefox's certificate tab. There is much more to this that is not revealing a solution.

Looking for more suggestions, please while I continue to search for the answer. Thanks to all and any potential help!
0
 
LVL 82

Expert Comment

by:Dave Baldwin
ID: 40405422
I added my Linux computer to my 'hosts' file with their IP address and host name.  Like we said above, certificates are Not supposed to be found with IP addresses.  When I try to connect to my Webmin with an IP address, it tells me to use the host name and shows me a link for it.  Searching for certificates with IP addresses should not give you any results.  And Firefox, by the way, has it's own certificate storage separate from Windows.  IE and Chrome user the Windows certificate storage.
0
 

Author Comment

by:RayRider
ID: 40405684
The other identical win 7 machine is displaying (Firefox certificates) with an IP address, and behaves normallly. Plus, this system has always show the certificate server with an IP address, and worked that way until whatever happened to stop it. But, for the sake of eliminating any questionable issues, I will place the hostname in the hosts file and see what gives whenever I get to the system to make the changes.
0
 
LVL 82

Expert Comment

by:Dave Baldwin
ID: 40405741
The other identical win 7 machine is displaying (Firefox certificates) with an IP address, and behaves normallly.
All I can tell you is that the version of Webmin (1.700) that I have on my machines will not accept a connection by IP address.  It requires me to use a host name and it puts up a link with the correct info.  

I looked in the Certificates list in Firefox and I see the IP addresses of my servers there along with the server names.  If I ever connected with the IP address, I can't do it now.  And you could never do it on the public internet.

The host name in the 'hosts' file is a lookup for your computer.  It must match the hostname in the Linux machine.
0
Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

 

Author Comment

by:RayRider
ID: 40406659
Can someone explain how windows 7 internally stores certificates. I have NOT BEEN SUCCESSFUL in locating even the WEBMIN certificates on the working machine. I don't find them with certmgr.msc, nor see them in the Registry. I don't believe they are specific to Firefox, even though Firefox is said to have them in a database named "cert8.db":  C:\Users\Ray\AppData\Roaming\Thunderbird\Profiles\h41dnn4k.default\cert8.db. I should clarify that it is reported that Firefox can store certificates here, not that all of them are in cert8.db.

I say this because neither Firefox, nor I.E. sees the certificate. There is something common to all browsers in my problem on this problematic machine.

Any suggestions?
0
 
LVL 18

Expert Comment

by:Peter Hutchison
ID: 40406738
Certificates are stored on the server providing the service.

When a web browser accesses a secure site, it will read the public certificate from the web server (I believe into memory, so it will not be found on disk anywhere) to confirm the name matches the web site and that the Cert Authority is trusted and is not out of date.

Certificates are only stored on disk if you deliberating save them from the web page and import them from a CRT,CER,PFX etc file.
0
 

Author Comment

by:RayRider
ID: 40417628
I'm back to this again after some searching and thinking it over. I have come to the conclusion that a fix to this problem is to find a way for my Webmin server at https://192.168.1.94:10000  to "once again" present me with the window that says "This connection is untrusted". If I can every get that message, the exception will be added to the system where ever this configuration information is stored, not the certificate itself, but the logic that decides if one is needed or not.

I understand that the certificate is not stored on the hard drive as Peter Hutchison has explained. And, that the certificate itself is downloaded from the Cert Authority, and that the two keys are checked.

In my Firefox and I.E. browser, I can look at the certificate servers. Where does that information come from? Webmin is NOT using a certificate. That is the reason to declare it "untrusted" and accept the "risk". And when I get to do those steps in accepting the untrusted connection, I get an entry in the Firefox browser's certificate list with IP address of the server running Webmin. No domain name is required as suggested above. I have checked this out on other working browser - Webmin pairs. All have the exception listed as the LAN IP and not a domain, or hostname.

However, this win 7 machine does not have an entry in the browser's security certificate list for either of my two Webmin servers. The browser refuses to allow a manual entry for my "untrusted" Webmin.

A key bit of information leading to a solution, is this fault is indicating the certificate is "invalid", not that it is missing. If I can figure out how to remove any history, Then I believe it will warn me of the "untrusted connection", allowing me to accept the risks. Something has gotten out of sync.
0
 

Author Comment

by:RayRider
ID: 40417651
I would like to show the brower security certificates from working system. This is a screen capture.Firefox security certificate list
0
 
LVL 82

Expert Comment

by:Dave Baldwin
ID: 40417677
Webmin is NOT using a certificate.
That is simply wrong.  It is using a 'self-signed' certificate and when you connect the first time it says that.  More info in the middle of the page here: http://www.webmin.com/faq.html  Note that in all of their examples they are using a host name and not an IP address.

And here is their 'Wiki' page about it with a note that recent versions have changed from a fixed SSL to generating a new key at installation: http://doxfer.webmin.com/Webmin/SecuringWebmin

I also have similar listings in my Firefox Certificate manager as shown below.  After this last update, I had to switch from IP connections to hostname connections.  The two IP listing have been replaced by the 'davidubu' and the 'dibsubu' connections because the IP connections no longer work.
Firefox Certificates
You're complaining that things are not as they used to and you're probably correct.  Typically software is written to let you continue using older methods (at least for a while) but when you make a new connection or installation, you will be required to use the newest current method.
0
 

Author Comment

by:RayRider
ID: 40417723
Dave, Some of my conclusions are rooted from having insufficient knowledge on this very complicated subject. Yes, the general flow is understood somewhat. But, I'll never be a security expert, or try to be one when all I wanted to do is connect a tool to my two ubuntu servers which I have been doing for such a long time, and still can from other machines that are similar in versions, etc.

Since you first mentioned using a hostname instead of an IP address, I checked to see that hosts file did contain the hostnames of these two servers. I attempted to connect to them the way you have show above. I still get the same errors.

I have seen some information on the net relating to Webmin using a 512 byte key vs. a 2048. The error is "Error code: sec_error_invalid_key". But, all the time with this problem, I have trying to put human reasoning to this problem as my other win7 desktop and two win7 laptops connect with no problem. However, I am going to have to move on to other thinking regardless the other machines working.

Thanks for the help. I'll keep struggling along, trying other things  I run across. If you can suggest other ideas, please pass them on.
0
 
LVL 82

Expert Comment

by:Dave Baldwin
ID: 40417730
All I did the last time was use the link that Webmin put up with the hostname and accepted the security exception to get it to connect.  That's what you have to do with self-signed certs.  What version of Webmin are you using?  I have upgraded to the latest version which is 1.710.
0
 
LVL 82

Expert Comment

by:Dave Baldwin
ID: 40417731
Try connecting to webmin with 'http' and see what it says.  This is what happens when I try that.  It gives the correct link to connect to it.  I would still have to accept the security exception if I had not done that already.
Webmin http IP message
0
 

Author Comment

by:RayRider
ID: 40417735
I am running Webmin 1.710. I already tried the http instead of the normal https. I get the same message as you did about server running in SSL mode.
0
 

Author Comment

by:RayRider
ID: 40417742
Referring back to my comment about 512 byte encryption, while I was looking at Webmin from the working desktop, I went to the configuration icon and selected the SSL configuration. This version is already using a 2048 byte key.

I also saw a option to disable SSL. I hate giving up on something, and really would like to find the real problem....but the thought was tempting. LOL
0
 
LVL 82

Accepted Solution

by:
Dave Baldwin earned 500 total points
ID: 40417782
"the real problem" is that Webmin doesn't want to support SSL/TLS on IP addresses.  Neither does anyone else and on a public web site, you can't use IP addresses with an SSL/TLS certificate.  You are expected to use the domain name that is listed in the certificate.  

This is an IP link to my web site with 'https': https://184.105.130.49/  You can take a look at the error message.  While Firefox will let me enter an exception, it appears that Webmin will no longer accept that on a 'new' connection.

Don't be surprised if the machines that are still working with IP addresses stop working that way in the future.  Use the domain name link that it shows you.
0
 

Author Comment

by:RayRider
ID: 40418236
Dave,

I feel privileged that you have "hung in there" with me on this issue. The more I look for a solution, the more I get confused! For example, I followed your link above. Behold, Firefox warns about an "untrusted connection". But, Firefox 33.0 allows me to accept the risk, and I am allowed to proceed to your site. Firefox says it is adding the exception, but it doesn't show up on Firefox's certificate manager. These once did; I have a partial understanding.

Looking closer at the Firefox versions between problematic situation, and the other so called working systems, I discovered that the working systems are running Firefox 32.0.3, NOT 33.0 like this one. Firefox version 32.0.3 is allowing the adding of exceptions to "all" untrusted sites. However Firefox version 33.0 will not allow adding an exception to the Webmin server, but it will allow me to add your server. I am not understanding why the difference, other than a suspicion that Firefox 33.0 thinks the Webmin certificate is "invalid".

Why Firefox 32.0.3 will show the non stored certificates of Webmin, and not show the exception to your site is also a mystery to me.

So, as another test, I downloaded Chrome to the problem machine. Chrome allows me to make the connection to Webmin, after accepting the warnings.

I have concluded that this is a Firefox 33.0 problem, as it thinks the certificate is invalid, but has no feature to manage, or purge it. My solution is to use Chrome to manage Webmin. Or, maybe try to configure Webmin to not use SSL connections.

I will give you all the points and appreciate all the help.
0
 
LVL 82

Expert Comment

by:Dave Baldwin
ID: 40418408
Thanks, glad to help.  Note that my screen shot above of the Firefox certificates was taken on Firefox 33.0.2.  I just tried the Webmin connection on another computer that had never connected to it and is running Firefox 33.0.2.  It would let me make the exception with either IP address or hostname.  So you may be right about Firefox 33.0 being the problem.
0

Featured Post

Want to promote your upcoming event?

Attending an event? Speaking at a conference? Or exhibiting at a tradeshow? Easily inform your contacts by using a promotional banner in your email signature. This will ensure your organization’s most important contacts are in the know.

Join & Write a Comment

Goal:  To set up a secure SSH server for your home computer to make it accessible anywhere AND to use it as a port forwarding proxy. Steps 1.  WinSSHD version 5 is free for personal use.  So download and install it.  You can download it from the…
Introduction People like FTP.  It's a solid, stable, robust protocol for quickly transferring files between two hosts using TCP/IP.  In most cases it's much faster than SMB or CIFS, and certainly much easier to set up between organizations.  This…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now